Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 05:53
Static task
static1
Behavioral task
behavioral1
Sample
11666db92a5a86c662e68a08b55b6219a9102063fdd0a4e3d4178187dda9dbc8.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
11666db92a5a86c662e68a08b55b6219a9102063fdd0a4e3d4178187dda9dbc8.exe
Resource
win10v2004-en-20220113
General
-
Target
11666db92a5a86c662e68a08b55b6219a9102063fdd0a4e3d4178187dda9dbc8.exe
-
Size
150KB
-
MD5
e97162f11eea1b97cb1aa77282bac626
-
SHA1
d6e4cdf4e4abbd6cf4abfed6b6c1c16994ecc353
-
SHA256
11666db92a5a86c662e68a08b55b6219a9102063fdd0a4e3d4178187dda9dbc8
-
SHA512
145cb128a6b5c974728528ed98f3c7d9b97a4ba2b4648c8c443c0c09a68a4f7805dbe395bcf4ea17cecab2a6ce37021c2a47fdca0e6eb155c46583afc40a9967
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4688 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
11666db92a5a86c662e68a08b55b6219a9102063fdd0a4e3d4178187dda9dbc8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 11666db92a5a86c662e68a08b55b6219a9102063fdd0a4e3d4178187dda9dbc8.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
11666db92a5a86c662e68a08b55b6219a9102063fdd0a4e3d4178187dda9dbc8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 11666db92a5a86c662e68a08b55b6219a9102063fdd0a4e3d4178187dda9dbc8.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe11666db92a5a86c662e68a08b55b6219a9102063fdd0a4e3d4178187dda9dbc8.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1248 svchost.exe Token: SeCreatePagefilePrivilege 1248 svchost.exe Token: SeShutdownPrivilege 1248 svchost.exe Token: SeCreatePagefilePrivilege 1248 svchost.exe Token: SeShutdownPrivilege 1248 svchost.exe Token: SeCreatePagefilePrivilege 1248 svchost.exe Token: SeIncBasePriorityPrivilege 3576 11666db92a5a86c662e68a08b55b6219a9102063fdd0a4e3d4178187dda9dbc8.exe Token: SeSecurityPrivilege 3688 TiWorker.exe Token: SeRestorePrivilege 3688 TiWorker.exe Token: SeBackupPrivilege 3688 TiWorker.exe Token: SeBackupPrivilege 3688 TiWorker.exe Token: SeRestorePrivilege 3688 TiWorker.exe Token: SeSecurityPrivilege 3688 TiWorker.exe Token: SeBackupPrivilege 3688 TiWorker.exe Token: SeRestorePrivilege 3688 TiWorker.exe Token: SeSecurityPrivilege 3688 TiWorker.exe Token: SeBackupPrivilege 3688 TiWorker.exe Token: SeRestorePrivilege 3688 TiWorker.exe Token: SeSecurityPrivilege 3688 TiWorker.exe Token: SeBackupPrivilege 3688 TiWorker.exe Token: SeRestorePrivilege 3688 TiWorker.exe Token: SeSecurityPrivilege 3688 TiWorker.exe Token: SeBackupPrivilege 3688 TiWorker.exe Token: SeRestorePrivilege 3688 TiWorker.exe Token: SeSecurityPrivilege 3688 TiWorker.exe Token: SeBackupPrivilege 3688 TiWorker.exe Token: SeRestorePrivilege 3688 TiWorker.exe Token: SeSecurityPrivilege 3688 TiWorker.exe Token: SeBackupPrivilege 3688 TiWorker.exe Token: SeRestorePrivilege 3688 TiWorker.exe Token: SeSecurityPrivilege 3688 TiWorker.exe Token: SeBackupPrivilege 3688 TiWorker.exe Token: SeRestorePrivilege 3688 TiWorker.exe Token: SeSecurityPrivilege 3688 TiWorker.exe Token: SeBackupPrivilege 3688 TiWorker.exe Token: SeRestorePrivilege 3688 TiWorker.exe Token: SeSecurityPrivilege 3688 TiWorker.exe Token: SeBackupPrivilege 3688 TiWorker.exe Token: SeRestorePrivilege 3688 TiWorker.exe Token: SeSecurityPrivilege 3688 TiWorker.exe Token: SeBackupPrivilege 3688 TiWorker.exe Token: SeRestorePrivilege 3688 TiWorker.exe Token: SeSecurityPrivilege 3688 TiWorker.exe Token: SeBackupPrivilege 3688 TiWorker.exe Token: SeRestorePrivilege 3688 TiWorker.exe Token: SeSecurityPrivilege 3688 TiWorker.exe Token: SeBackupPrivilege 3688 TiWorker.exe Token: SeRestorePrivilege 3688 TiWorker.exe Token: SeSecurityPrivilege 3688 TiWorker.exe Token: SeBackupPrivilege 3688 TiWorker.exe Token: SeRestorePrivilege 3688 TiWorker.exe Token: SeSecurityPrivilege 3688 TiWorker.exe Token: SeBackupPrivilege 3688 TiWorker.exe Token: SeRestorePrivilege 3688 TiWorker.exe Token: SeSecurityPrivilege 3688 TiWorker.exe Token: SeBackupPrivilege 3688 TiWorker.exe Token: SeRestorePrivilege 3688 TiWorker.exe Token: SeSecurityPrivilege 3688 TiWorker.exe Token: SeBackupPrivilege 3688 TiWorker.exe Token: SeRestorePrivilege 3688 TiWorker.exe Token: SeSecurityPrivilege 3688 TiWorker.exe Token: SeBackupPrivilege 3688 TiWorker.exe Token: SeRestorePrivilege 3688 TiWorker.exe Token: SeSecurityPrivilege 3688 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
11666db92a5a86c662e68a08b55b6219a9102063fdd0a4e3d4178187dda9dbc8.execmd.exedescription pid process target process PID 3576 wrote to memory of 4688 3576 11666db92a5a86c662e68a08b55b6219a9102063fdd0a4e3d4178187dda9dbc8.exe MediaCenter.exe PID 3576 wrote to memory of 4688 3576 11666db92a5a86c662e68a08b55b6219a9102063fdd0a4e3d4178187dda9dbc8.exe MediaCenter.exe PID 3576 wrote to memory of 4688 3576 11666db92a5a86c662e68a08b55b6219a9102063fdd0a4e3d4178187dda9dbc8.exe MediaCenter.exe PID 3576 wrote to memory of 3092 3576 11666db92a5a86c662e68a08b55b6219a9102063fdd0a4e3d4178187dda9dbc8.exe cmd.exe PID 3576 wrote to memory of 3092 3576 11666db92a5a86c662e68a08b55b6219a9102063fdd0a4e3d4178187dda9dbc8.exe cmd.exe PID 3576 wrote to memory of 3092 3576 11666db92a5a86c662e68a08b55b6219a9102063fdd0a4e3d4178187dda9dbc8.exe cmd.exe PID 3092 wrote to memory of 3884 3092 cmd.exe PING.EXE PID 3092 wrote to memory of 3884 3092 cmd.exe PING.EXE PID 3092 wrote to memory of 3884 3092 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\11666db92a5a86c662e68a08b55b6219a9102063fdd0a4e3d4178187dda9dbc8.exe"C:\Users\Admin\AppData\Local\Temp\11666db92a5a86c662e68a08b55b6219a9102063fdd0a4e3d4178187dda9dbc8.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4688 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\11666db92a5a86c662e68a08b55b6219a9102063fdd0a4e3d4178187dda9dbc8.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3884
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1248
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3688
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
85599430d68643af2e64c1c2d9f9a85c
SHA16f47e1e3304fc80e95eb54b86742b529f9d163e6
SHA2560ccfa9bb45790676bc598f1aeaf16d03abd770ca0d51bcb46dc25bb46b823b0a
SHA51285bb002e5adced84252ad924750ab597a0fa1ab1a916aee32d332816660287b0a2bb852066667b937672e8652220513c78cb7abb0a165d29c18d739253de7987
-
MD5
85599430d68643af2e64c1c2d9f9a85c
SHA16f47e1e3304fc80e95eb54b86742b529f9d163e6
SHA2560ccfa9bb45790676bc598f1aeaf16d03abd770ca0d51bcb46dc25bb46b823b0a
SHA51285bb002e5adced84252ad924750ab597a0fa1ab1a916aee32d332816660287b0a2bb852066667b937672e8652220513c78cb7abb0a165d29c18d739253de7987